But the discovery came a few days after the apps hit the Android Market, so an estimated 20,000 to 500,000 users may already have downloaded the infected apps, most of which are pirated versions of legitimate Android apps, including Super Guitar Solo, Music Box, Advanced Barcode Scanner, and Spiderman, mobile security experts say. A user on Reddit first flagged the malware, and then Lookout Security found additional infected apps, all of which contain a piece of malware called DroidDream.
Google doesn't vet or security-scan apps submitted to its open, community-based app market, but security experts say the invasion of rogue apps could ultimately pressure the search engine giant to add some form of vetting applications before they hit the Market. It's all based on user comments and rankings of apps, and notifications to the user on what functions in the phone the app wants to use before he downloads it. "It's totally up to the user," says Chris Wysopal, CTO of Veracode. "This is not really working."
Google was not available to comment on any plans to change up the app submission process.
Security experts had been predicting that Android's open market could backfire. Apple does some security vetting of apps for the iPhone. "We knew this was going to happen," Wysopal says, noting that the discovery syncs with worries that cybercriminals would eventually spread malware by modifying legitimate apps. "This is something we've seen a lot in China, and with the original Windows Mobile [platform]," he says.
Wysopal says Google may have to start at least scanning apps for known malware threats. The so-called "rageagainstthecage" rooting exploit and DroidDream were both known pieces of malware that could have been detected, he says.
Google's Android platform has been on a major growth spurt, and with that popularity comes a big bull's eye. Just this week, researchers found a new Trojan called Android.Pjapps in legitimate Android apps and that builds a botnet.
"[Android] becomes more attractive as a target as its adoption grows," says Andy Chou, chief scientist and co-founder of Coverity. "And the number of smartphones is expected to exceed the number of PC's soon."
Chou says an even bigger opportunity for the bad guys is going after the Android platform itself. He recently scanned a development version of the Android OS he got from Google, MSM Development Branch 2.6.35, in which he found a total of 149 software defects, 22 of which were considered "high risk." Chou gave his findings to Google.
"Attacks on the core operating system or other components that are widely distributed would be more severe," Chou says. "Ultimately, we will see attacks at that level as the platform becomes more widely deployed."
One of the biggest challenges here is how different vendors customize the Android OS, and even use different versions on it for their platforms, making patching difficult.
Meanwhile, the DroidDream-infested Android apps so far appear to be the handiwork of a single developer who used three different developer names, "Kingmall2010," "we20090202," and "Myournet." Kevin Mahaffey, co-founder and CTO at mobile security provider Lookout Security, says Lookout's research was able to discern it was just one developer due to the way he packaged the apps.
The infected apps gain root control of the smartphone, which means the attacker can get hold of any data on the phone. "What's really scary is that it's capable of downloading new code and installing that on the phone ... so it could install a botnet or spyware," Veracode's Wysopal says.
So when Google remotely "wipes" or "kills" the bad apps from Androids, the device remains rooted, he notes. "As far as I know, there are not tools yet to clean this up. You have to completely restart the device from scratch and reset it to its factory-state," he says.
Wysopal says having rooted Androids out there is dangerous. "This gets fixed in Android 2.2. and 2.3, but one of problems with the Android market is the OS is very fragmented ... there are providers that customize it and aren't able to patch for that vulnerability," he says. So even if there's a fix issued for the root, a lot of Androids are running older versions of the OS that can't get updated.
"So some other guy can do the same thing all over again. What's to stop this [attack] from happening again tomorrow?" Wysopal says.
Lookout's Mahaffey says his company is working on a cleanup tool and hopes to release it shortly, and that its mobile anti-malware service now catches DroidDream, although the new unknown variant used in the rogue apps slipped by it initially. "We caught them last night," he says.
It's unclear just what the attackers behind the rogue apps are after, however. Mahaffey says the command-and-control function isn't actively sending commands, so it may just be in the experimental phase.
"What they are doing is a little bit of a mystery," Veracode's Wysopal says. "The attacker may be exploring building mobile botnets ... they likely are going to use them for what we've seen in special-purpose malware: premium SMS dialing and ad-click fraud."
A Kaspersky Lab researcher studying the Super Guitar Solo app says it can get the product ID, device type, language, country, and userID, as well as other information on the phone, which can be uploaded to a remote server.
"This discovery is important because up until now most of the Android malware has been found outside of the Android Market, which requires a number of special steps to be taken in order to infect the phones. In this case, users are even able to install from the web with the new Android Market format," he blogged.
A complete list of the phony and malicious Android apps is here from Symantec.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.